Car hackgate: Security scandal exposed after two years
TENS of thousands of cars are vulnerable to thieves using electronic hacking, according to researchers whose findings were suppressed by a major manufacturer for two years.
The full details of the security loophole, which can now be revealed, show a widely used electronic security device designed to prevent thieves from breaking in and driving off with vehicles could easily be disabled by criminals.
Most modern cars cannot be "hot-wired" as they are powered by electronics. But organised criminals are finding hi-tech new ways to take control of vehicles. The problem is acute in London, where four out of 10 car thefts feature electronic hacking.
Three university researchers from Britain and Holland discovered that immobilisers fitted to more than 100 car makes had weak security that could be defeated - in some cases within a few minutes. But when they tried to publish their findings, Volkswagen took High Court legal action to stop them.
Critics claim the move could have a "chilling effect" on security research in the UK but VW defended it, stressing the firm went to "great lengths" to prevent "unauthorised individuals [gaining] access to our cars."
The researchers, Birmingham University's Flavio Garcia and Roel Verdult and Baris Ege, from Radbound University in Nijmegen, fought the ban, saying they identify security flaws so they can be fixed. They said their research started after police claimed cars were being stolen "and nobody can explain how".
Despite this a High Court judge agreed to the ban - saying he believed publication would "facilitate car crime".
The researchers denied their paper teaches people to steal vehicles, and argued that the ban on publication denied the car-buying public crucial information about the security of their vehicles.
Following more than a year of negotiations between the academics and VW, the full details have now been published. The researchers say only one sentence has been removed from the original research. It reveals how they identified "several weaknesses" in a Swiss-made security device called a Megamos Crypto system.
The device is used by a total of 26 car manufacturers including Audi, Fiat, Honda, Volvo as well as Volkswagen. Many top-range brands including Bentley, Ferrari, Porsche and Maserati are among those known to use them.
The manufacturer of the system claims to have sold over 100 million radio frequency identification chips which are designed to verify the identity of the ignition key being used to start the car engine. If thieves get into the vehicle without the right key, the engine should refuse to start.
The researchers showed how it was possible electronically to listen to signals sent between the security system and the key fob. By doing this, they were able to discover the vehicle's secret code within 30 minutes.
The academics warn the security devices were vulnerable to "close-range wireless communication" attacks and said situations such as valet parking and car rental where attackers could have access to both the immobiliser and the keys were a particular danger. They recommend the car industry use more sophisticated systems which are harder to defeat.
The researchers say they believe that some modifications have now been implemented on new models.
According to industry experts, the security flaw could cost manufacturers millions to fix. The radio frequency identity chips in the key fobs - as well as the equipment that responds in the engine starting system - will both require re-engineering or replacing.
A spokesman for Volkswagen said: "Volkswagen has an interest in protecting the security of its products and its customers. We would not make available information that might enable unauthorised individuals to gain access to our cars. In all aspects of vehicle security, we go to great lengths to ensure the security and integrity of our products against external malicious attack."
The RAC says electronic security has led to a dramatic improvement in levels of car theft, which has fallen 70 per cent in the last 40 years.
Last year near 70,000 cars were taken in the UK. Experts warn that the overall decrease hides a spike in electronic keyless thefts.
How the scam works
The Megamos Crypto immobiliser is designed to stop a thief breaking in and "hot-wiring" a car. A device called a transponder in the key fob sends an identification code to the immobiliser informing it the correct driver is present.
Scammers overcome this by electronically eavesdropping on the key fob signal and then using a commercially available computer programme to analyse it and emulate it. The immobiliser then decodes the signal and, if it is correct, starts the engine.
Researchers found the chips use relatively simple encryption. By listening to them talk to each other twice, anyone could quickly discover the pattern and copy the key.